That was it! I have passwords syncing, *BUT*(at the risk of sounding stupid)-- is it not possible to also sync(add) the users from AD to DS? I created a new user in AD and it doesn't propogate to DS, just says:<div><br>
</div><div><div>attempting to sync password for testuser3</div><div>searching for (ntuserdomainid=testuser3)</div><div>There are no entries that match: testuser3</div><div>deferring password change for testuser3</div><br>
<div class="gmail_quote">On Fri, Jan 20, 2012 at 2:46 PM, Rich Megginson <span dir="ltr"><<a href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<u></u>
<div bgcolor="#ffffff" text="#000000"><div class="im">
On 01/20/2012 12:46 PM, Jimmy wrote:
<blockquote type="cite">Getting close here... Now I see this message in the
sync log file:
<div><br>
</div>
<div>
<div>attempting to sync password for testuser</div>
<div>searching for (ntuserdomainid=testuser)</div>
<div>ldap error in queryusername</div>
<div> 32: no such object</div>
<div>deferring password change for testuser</div>
</div>
</blockquote></div>
This usually means the search base is incorrect or not found. You
can look at the 389 access log to see what it was using as the
search criteria.<div><div class="h5"><br>
<blockquote type="cite">
<div><br>
<div class="gmail_quote">On Fri, Jan 20, 2012 at 12:23 PM, Rich
Megginson <span dir="ltr"><<a href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#ffffff" text="#000000">
<div> On 01/20/2012 10:23 AM, Jimmy wrote:
<blockquote type="cite">You are correct. I had installed
as an Enterprise root, but the doc I was
reading(original link) seemed to say that I had to do
the certreq manually, my bad. I think I'm getting
closer I can establish an openssl connection from DS
to AD but I get these errors:
<div> <br>
</div>
<div>
<div> openssl s_client -connect <a href="http://192.168.201.150:636" target="_blank">192.168.201.150:636</a>
-showcerts -CAfile dsca.crt</div>
<div>CONNECTED(00000003)</div>
<div>depth=0 CN = csp-ad.cspad.pdh.csp</div>
<div> verify error:num=20:unable to get local issuer
certificate</div>
<div>verify return:1</div>
<div>depth=0 CN = csp-ad.cspad.pdh.csp</div>
<div>verify error:num=27:certificate not trusted</div>
<div>verify return:1</div>
<div>depth=0 CN = csp-ad.cspad.pdh.csp</div>
<div>verify error:num=21:unable to verify the first
certificate</div>
<div>verify return:1</div>
<div><br>
</div>
<div>I thought I had imported the cert from AD but
it doesn't seem so. I'm still researching but if
you guys have a suggestion let me know.</div>
</div>
</blockquote>
</div>
Is dsca.crt the CA that issued the DS server cert? If so,
that won't work. You need the CA cert from the CA that
issued the AD server cert (i.e. the CA cert from the MS
Enterprise Root CA).
<div>
<div><br>
<blockquote type="cite">
<div>
<div>-J</div>
<br>
<div class="gmail_quote"> On Thu, Jan 19, 2012 at
5:04 PM, Rich Megginson <span dir="ltr"><<a href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#ffffff" text="#000000">
<div> On 01/19/2012 02:59 PM, Jimmy wrote:
<blockquote type="cite">ok. I started from
scratch this week on this and I think
I've got the right doc and understand
better where this is going. My problem
now is that when configuring SSL on the
AD server (step c in this url: <a href="http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Install_and_Configure_the_Password_Sync_Service" target="_blank">http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Install_and_Configure_the_Password_Sync_Service</a> )
<div> I get this error: </div>
<div><br>
</div>
<div>
<div>certreq -submit request.req
certnew.cer</div>
<div>Active Directory Enrollment
Policy</div>
<div>
{25DDA1E7-3A99-4893-BA32-9955AC9EAC42}</div>
<div> ldap:</div>
<div>RequestId: 3</div>
<div>RequestId: "3"</div>
<div>Certificate not issued (Denied)
Denied by Policy Module 0x80094801,
The request does not contain a
certificate template extension or
the CertificateTemplate request
attribute.</div>
<div> The request contains no
certificate template information.
0x80094801 <a href="tel:%28-2146875391" value="+12146875391" target="_blank">(-2146875391</a>)</div>
<div>Certificate Request Processor:
The request contains no certificate
template information. 0x80094801 <a href="tel:%28-2146875391" value="+12146875391" target="_blank">(-2146875391</a>)</div>
<div> Denied by Policy Module
0x80094801, The request does not
contain a certificate template
extension or the CertificateTemplate
request attribute.</div>
<div><br>
</div>
<div>The RH doc says to use the
browser if an error occurs and IIS
is running but I'm not running IIS.
I researched that error but didn't
find anything that helps with
FreeIPA and passsync.</div>
</div>
</blockquote>
</div>
Hmm - try installing Microsoft Certificate
Authority in Enterprise Root CA mode - it
will usually automatically create and
install the AD server cert. <a href="http://directory.fedoraproject.org/wiki/Howto:WindowsSync" target="_blank">http://directory.fedoraproject.org/wiki/Howto:WindowsSync</a>
<div>
<div><br>
<blockquote type="cite">
<div>
<div><br>
</div>
<div>Jimmy</div>
<div><br>
<div class="gmail_quote">On Wed,
Jan 11, 2012 at 3:32 PM, Rich
Megginson <span dir="ltr"><<a href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#ffffff" text="#000000">
<div> On 01/11/2012 11:22
AM, Jimmy wrote:
<blockquote type="cite">We
need to be able to
replicate user/pass
between Windows 2008 AD
and FreeIPA.</blockquote>
<br>
</div>
That's what IPA Windows Sync
is supposed to do.
<div><br>
<br>
<blockquote type="cite">I
have followed many
different documents and
posted here about it and
from what I've read and
procedures I've followed
we are unable to
accomplish this.</blockquote>
<br>
</div>
What have you tried, and
what problems have you run
into?<br>
<br>
<blockquote type="cite">
<div>It doesn't need to be
a full trust.
<div> <br>
</div>
<div>Thanks<br>
<br>
<div class="gmail_quote">On
Tue, Jan 10, 2012 at
3:03 AM, Jan Zelený
<span dir="ltr"><<a href="mailto:jzeleny@redhat.com" target="_blank">jzeleny@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<div>> Just
wondering if
there was
anyone
listening on
the list that
might be<br>
> available
for little
work
integrating
FreeIPA with
Active
Directory<br>
>
(preferrably
in the south
east US.) I
hope this
isn't against
the list<br>
> rules, I
just thought
one of you
guys could
help or point
me in the
right<br>
>
direction.<br>
<br>
</div>
</div>
If you want some
help, it is
certainly not
against list rules
;-) But in that<br>
case, it would be
much better if you
asked what exactly
do you need.<br>
<br>
I'm not an AD
expert, but a
couple tips: If
you are looking
for cross-domain<br>
(cross-realm)
trust, then you
might be a bit
disappointed, it
is still in<br>
development, so it
probably won't be
100% functional at
this moment.<br>
<br>
If you are looking
for something
else, could you be
a little more
specific what<br>
it is?<br>
<br>
I also recommend
starting with
reading some doc:<br>
<a href="http://freeipa.org/page/DocumentationPortal" target="_blank">http://freeipa.org/page/DocumentationPortal</a><br>
<br>
Thanks<br>
<span><font color="#888888">Jan<br>
</font></span></blockquote>
</div>
<br>
</div>
</div>
<pre><fieldset></fieldset>
_______________________________________________
Freeipa-users mailing list
<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div></div></div>
</blockquote></div><br></div>